mirror of
https://github.com/samba-team/samba.git
synced 2025-01-13 13:18:06 +03:00
9b261c008a
Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
201 lines
5.5 KiB
Groff
201 lines
5.5 KiB
Groff
-- $Id$ --
|
|
|
|
PKINIT DEFINITIONS ::= BEGIN
|
|
|
|
IMPORTS EncryptionKey, PrincipalName, Realm, KerberosTime, Checksum, Ticket FROM krb5
|
|
IssuerAndSerialNumber, ContentInfo FROM cms
|
|
SubjectPublicKeyInfo, AlgorithmIdentifier FROM rfc2459
|
|
heim_any FROM heim;
|
|
|
|
id-pkinit OBJECT IDENTIFIER ::=
|
|
{ iso (1) org (3) dod (6) internet (1) security (5)
|
|
kerberosv5 (2) pkinit (3) }
|
|
|
|
id-pkauthdata OBJECT IDENTIFIER ::= { id-pkinit 1 }
|
|
id-pkdhkeydata OBJECT IDENTIFIER ::= { id-pkinit 2 }
|
|
id-pkrkeydata OBJECT IDENTIFIER ::= { id-pkinit 3 }
|
|
id-pkekuoid OBJECT IDENTIFIER ::= { id-pkinit 4 }
|
|
id-pkkdcekuoid OBJECT IDENTIFIER ::= { id-pkinit 5 }
|
|
|
|
id-pkinit-kdf OBJECT IDENTIFIER ::= { id-pkinit 6 }
|
|
id-pkinit-kdf-ah-sha1 OBJECT IDENTIFIER ::= { id-pkinit-kdf 1 }
|
|
id-pkinit-kdf-ah-sha256 OBJECT IDENTIFIER ::= { id-pkinit-kdf 2 }
|
|
id-pkinit-kdf-ah-sha512 OBJECT IDENTIFIER ::= { id-pkinit-kdf 3 }
|
|
|
|
id-pkinit-san OBJECT IDENTIFIER ::=
|
|
{ iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
|
|
x509-sanan(2) }
|
|
|
|
id-pkinit-ms-eku OBJECT IDENTIFIER ::=
|
|
{ iso(1) org(3) dod(6) internet(1) private(4)
|
|
enterprise(1) microsoft(311) 20 2 2 }
|
|
|
|
id-pkinit-ms-san OBJECT IDENTIFIER ::=
|
|
{ iso(1) org(3) dod(6) internet(1) private(4)
|
|
enterprise(1) microsoft(311) 20 2 3 }
|
|
|
|
MS-UPN-SAN ::= UTF8String
|
|
|
|
pa-pk-as-req INTEGER ::= 16
|
|
pa-pk-as-rep INTEGER ::= 17
|
|
|
|
td-trusted-certifiers INTEGER ::= 104
|
|
td-invalid-certificates INTEGER ::= 105
|
|
td-dh-parameters INTEGER ::= 109
|
|
|
|
DHNonce ::= OCTET STRING
|
|
|
|
KDFAlgorithmId ::= SEQUENCE {
|
|
kdf-id [0] OBJECT IDENTIFIER,
|
|
...
|
|
}
|
|
|
|
TrustedCA ::= SEQUENCE {
|
|
caName [0] IMPLICIT OCTET STRING,
|
|
certificateSerialNumber [1] INTEGER OPTIONAL,
|
|
subjectKeyIdentifier [2] OCTET STRING OPTIONAL,
|
|
...
|
|
}
|
|
|
|
ExternalPrincipalIdentifier ::= SEQUENCE {
|
|
subjectName [0] IMPLICIT OCTET STRING OPTIONAL,
|
|
issuerAndSerialNumber [1] IMPLICIT OCTET STRING OPTIONAL,
|
|
subjectKeyIdentifier [2] IMPLICIT OCTET STRING OPTIONAL,
|
|
...
|
|
}
|
|
|
|
ExternalPrincipalIdentifiers ::= SEQUENCE OF ExternalPrincipalIdentifier
|
|
|
|
PA-PK-AS-REQ ::= SEQUENCE {
|
|
signedAuthPack [0] IMPLICIT OCTET STRING,
|
|
trustedCertifiers [1] ExternalPrincipalIdentifiers OPTIONAL,
|
|
kdcPkId [2] IMPLICIT OCTET STRING OPTIONAL,
|
|
...
|
|
}
|
|
|
|
PKAuthenticator ::= SEQUENCE {
|
|
cusec [0] INTEGER -- (0..999999) --,
|
|
ctime [1] KerberosTime,
|
|
nonce [2] INTEGER (0..4294967295),
|
|
paChecksum [3] OCTET STRING OPTIONAL,
|
|
...
|
|
}
|
|
|
|
AuthPack ::= SEQUENCE {
|
|
pkAuthenticator [0] PKAuthenticator,
|
|
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL,
|
|
supportedCMSTypes [2] SEQUENCE OF AlgorithmIdentifier OPTIONAL,
|
|
clientDHNonce [3] DHNonce OPTIONAL,
|
|
...,
|
|
supportedKDFs [4] SEQUENCE OF KDFAlgorithmId OPTIONAL,
|
|
...
|
|
}
|
|
|
|
TD-TRUSTED-CERTIFIERS ::= ExternalPrincipalIdentifiers
|
|
TD-INVALID-CERTIFICATES ::= ExternalPrincipalIdentifiers
|
|
|
|
KRB5PrincipalName ::= SEQUENCE {
|
|
realm [0] Realm,
|
|
principalName [1] PrincipalName
|
|
}
|
|
|
|
AD-INITIAL-VERIFIED-CAS ::= SEQUENCE OF ExternalPrincipalIdentifier
|
|
|
|
DHRepInfo ::= SEQUENCE {
|
|
dhSignedData [0] IMPLICIT OCTET STRING,
|
|
serverDHNonce [1] DHNonce OPTIONAL,
|
|
...,
|
|
kdf [2] KDFAlgorithmId OPTIONAL,
|
|
...
|
|
}
|
|
|
|
PA-PK-AS-REP ::= CHOICE {
|
|
dhInfo [0] DHRepInfo,
|
|
encKeyPack [1] IMPLICIT OCTET STRING,
|
|
...
|
|
}
|
|
|
|
KDCDHKeyInfo ::= SEQUENCE {
|
|
subjectPublicKey [0] BIT STRING,
|
|
nonce [1] INTEGER (0..4294967295),
|
|
dhKeyExpiration [2] KerberosTime OPTIONAL,
|
|
...
|
|
}
|
|
|
|
ReplyKeyPack ::= SEQUENCE {
|
|
replyKey [0] EncryptionKey,
|
|
asChecksum [1] Checksum,
|
|
...
|
|
}
|
|
|
|
TD-DH-PARAMETERS ::= SEQUENCE OF AlgorithmIdentifier
|
|
|
|
|
|
-- Windows compat glue --
|
|
|
|
PKAuthenticator-Win2k ::= SEQUENCE {
|
|
kdcName [0] PrincipalName,
|
|
kdcRealm [1] Realm,
|
|
cusec [2] INTEGER (0..4294967295),
|
|
ctime [3] KerberosTime,
|
|
nonce [4] INTEGER (-2147483648..2147483647)
|
|
}
|
|
|
|
AuthPack-Win2k ::= SEQUENCE {
|
|
pkAuthenticator [0] PKAuthenticator-Win2k,
|
|
clientPublicValue [1] SubjectPublicKeyInfo OPTIONAL
|
|
}
|
|
|
|
|
|
TrustedCA-Win2k ::= CHOICE {
|
|
caName [1] heim_any,
|
|
issuerAndSerial [2] IssuerAndSerialNumber
|
|
}
|
|
|
|
PA-PK-AS-REQ-Win2k ::= SEQUENCE {
|
|
signed-auth-pack [0] IMPLICIT OCTET STRING,
|
|
trusted-certifiers [2] SEQUENCE OF TrustedCA-Win2k OPTIONAL,
|
|
kdc-cert [3] IMPLICIT OCTET STRING OPTIONAL,
|
|
encryption-cert [4] IMPLICIT OCTET STRING OPTIONAL
|
|
}
|
|
|
|
PA-PK-AS-REP-Win2k ::= CHOICE {
|
|
dhSignedData [0] IMPLICIT OCTET STRING,
|
|
encKeyPack [1] IMPLICIT OCTET STRING
|
|
}
|
|
|
|
KDCDHKeyInfo-Win2k ::= SEQUENCE {
|
|
nonce [0] INTEGER (-2147483648..2147483647),
|
|
subjectPublicKey [2] BIT STRING
|
|
}
|
|
|
|
ReplyKeyPack-Win2k ::= SEQUENCE {
|
|
replyKey [0] EncryptionKey,
|
|
nonce [1] INTEGER (-2147483648..2147483647),
|
|
...
|
|
}
|
|
|
|
PA-PK-AS-REP-BTMM ::= SEQUENCE {
|
|
dhSignedData [0] heim_any OPTIONAL,
|
|
encKeyPack [1] heim_any OPTIONAL
|
|
}
|
|
|
|
|
|
PkinitSP80056AOtherInfo ::= SEQUENCE {
|
|
algorithmID AlgorithmIdentifier,
|
|
partyUInfo [0] OCTET STRING,
|
|
partyVInfo [1] OCTET STRING,
|
|
suppPubInfo [2] OCTET STRING OPTIONAL,
|
|
suppPrivInfo [3] OCTET STRING OPTIONAL
|
|
}
|
|
|
|
PkinitSuppPubInfo ::= SEQUENCE {
|
|
enctype [0] INTEGER (-2147483648..2147483647),
|
|
as-REQ [1] OCTET STRING,
|
|
pk-as-rep [2] OCTET STRING,
|
|
ticket [3] Ticket,
|
|
...
|
|
}
|
|
|
|
END
|